Merge pull request #438 from grooverdan/solid-pop3d

ENH: filter for Solid-pop3d

ChangeLog

@@ -17,6 +17,9 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
 
 - New Features:
 
+  Daniel Black
+   * filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
+
 - Enhancements:
 
 

THANKS

@@ -33,6 +33,7 @@ Georgiy Mernov
 Guillaume Delvit
 Hanno 'Rince' Wagner
 Iain Lea
+Jacques Lav!gnotte
 Jonathan Kamens
 Jonathan Lanning
 Jonathan Underwood

config/filter.d/solid-pop3d.conf

@@ -0,0 +1,32 @@
+# Fail2Ban filter for unsuccesful solid-pop3 authentication attempts
+#
+# Doesn't currently provide PAM support as PAM log messages don't include rhost as
+# remote IP.
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = solid-pop3d
+
+failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
+            ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
+            ^%(__prefix_line)sroot login not allowed - <HOST>$
+            ^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# solid-pop3d needs to be compiled with --enable-logextend to support
+# IP addresses in log messages.
+#
+# solid-pop3d-0.15/src/main.c contains all authentication errors
+# except for PAM authentication messages ( src/authenticate.c )
+#
+# A pam authentication failure message (note no IP for rhost).
+# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=jacques
+# 
+# Authors: Daniel Black

config/jail.conf

@@ -518,6 +518,14 @@ action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,subm
 logpath = /var/log/secure
 
 
+[solid-pop3d]
+
+enabled = false
+filter  = solid-pop3d
+action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
+logpath = /var/log/mail.log
+
+
 [selinux-ssh]
 enabled = false
 filter  = selinux-ssh

testcases/files/logs/solid-pop3d

@@ -0,0 +1,25 @@
+# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
+Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed: no such user: adrian - 123.33.44.45
+
+# All below are manufactured from looking at log
+# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
+Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed: can't map user name: adrian - 123.33.44.45
+
+# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
+Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed for user adrain - 123.33.44.45
+
+# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
+Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed for mapped user adrain - 123.33.44.45
+
+# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
+Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: root login not allowed - 123.33.44.45
+
+# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
+Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: can't find APOP secret for user adrian - 123.33.44.45
+
+# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
+Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: APOP authentication failed for user adrian - 123.33.44.45
+
+# Real log messages again:
+# failJSON: { "time": "2004-11-17T23:10:03", "match": true , "host": "190.16.165.230" }
+Nov 17 23:10:03 emf1pt2-2-35-70 solid-pop3d[16993]: authentication failed for user jacques - 190.16.165.230